Who enforces CADA transparency obligations on cloud providers?

Summary Under the proposed Cloud and AI Development Act (CADA), the national competent authority of establishment holds exclusive competence to enforce transparency obligations on cloud computing service providers. As proposed in Article 25, these authorities oversee the recognition process and investigate infringements, while Member States are required to lay down effective, proportionate, and dissuasive penalties under Article 24. Auditing organisations play a critical verification role by assessing compliance with Union assurance levels and issuing audit opinions, but they do not hold regulatory enforcement powers. Providers must report material changes immediately under Article 23 to avoid sanctions.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a harmonised Union cloud computing sovereignty framework. For legal teams and compliance officers, understanding the enforcement architecture is critical. The proposal creates a clear chain of responsibility: providers must self-monitor and report changes; independent auditors verify compliance; and national competent authorities enforce the rules and impose penalties.

The Exclusive Enforcer: National Competent Authority of Establishment

The cornerstone of CADA's enforcement mechanism is the principle of single-point oversight to prevent regulatory fragmentation. As proposed in Article 25(4), the Member State in which the cloud computing service provider has its "main establishment"—defined as the head office or registered office from which the principal financial functions and operational control are exercised—has exclusive competence for enforcing the sovereignty chapter of the regulation.

This designation simplifies the regulatory landscape for multinational providers. Rather than navigating divergent enforcement regimes across all Member States where they operate, providers deal primarily with the competent authority in their home jurisdiction. This "country of origin" principle ensures legal certainty and avoids duplicate investigations.

However, this exclusivity does not isolate providers from cross-border scrutiny. Article 27 mandates mutual assistance between competent authorities, allowing for the exchange of information and coordinated investigations. Furthermore, Article 28 enables cross-border cooperation. If a "competent authority of destination" (where the service is used) suspects non-compliance, it may request the authority of establishment to assess the matter and take necessary investigatory and enforcement measures. The authority of establishment must respond within two months, ensuring that the single point of contact remains effective across the Union.

Transparency Obligations: The Trigger for Enforcement

The enforcement mechanism is triggered by the transparency obligations outlined in Article 23. This article imposes a continuous duty on recognised cloud computing service providers to monitor their own compliance status.

Under Article 23(1), a recognised provider must, "as soon as possible," notify both the auditing organisation and the national competent authority of establishment upon becoming aware of any information or any material change in circumstances that may affect:

• The audit report;
• The 'positive' audit opinion; or
• The recognition status itself.

This obligation is not a one-time event upon initial recognition. It is an ongoing requirement to ensure the central repository of recognised services remains accurate. If a provider fails to report a material change—such as a shift in ownership, a change in infrastructure location, or a security incident that impacts the assurance level—they risk losing their recognition and facing penalties.

Upon receiving such a notification, the auditing organisation must assess whether the audit report or opinion needs to be amended or revoked (Article 23(2)). If the auditor amends or revokes the opinion, they must notify the competent authority. Subsequently, the competent authority assesses whether its recognition needs to be amended or revoked, and if so, notifies other Member States and the Commission (Article 23(3)).

The Verification Role of Auditing Organisations

It is crucial to distinguish the roles of the actors involved in the sovereignty framework. Auditing organisations are independent third parties, not regulators.

• Verification Function: As per Article 20, providers seeking Union assurance levels 2, 3, or 4 must undergo independent third-party audits. Auditing organisations verify compliance against the criteria in Annex II and issue an audit report with a 'positive' or 'negative' opinion.
• No Enforcement Power: Auditing organisations do not have the power to impose fines, order the cessation of infringements, or revoke recognition directly. Their role is to provide the evidence and opinion upon which the competent authority acts.
• Reporting Duty: If an auditor identifies a material change or non-compliance, they must notify the competent authority. They may also revoke their own audit report if the provider intentionally or negligently supplied incorrect evidence (Article 20(7)), but the formal recognition status remains with the authority.

Investigative and Enforcement Powers

To ensure compliance, the national competent authority of establishment is granted significant powers under Article 26. These powers are essential for verifying the accuracy of the transparency reports submitted under Article 23.

Investigative Powers (Article 26(1)):

• The authority can require any cloud computing service provider, as well as auditing organisations, to provide information relating to a suspected infringement.
• They can carry out inspections of premises or request judicial authorities to order such inspections to examine, seize, or obtain copies of information.
• They can ask staff or representatives to give explanations and record their answers.

Enforcement Powers (Article 26(2)):

• The authority can order the cessation of infringements and impose remedies proportionate to the infringement.
• They can impose fines or request judicial authorities to do so for failure to comply with the Regulation.
• They can impose periodic penalty payments to ensure that an infringement is terminated.

These measures must be effective, dissuasive, and proportionate, respecting the rights of defence and the right to an effective judicial remedy.

Penalties and Compensation

Article 24 places the onus on Member States to lay down the rules on penalties applicable to infringements of the sovereignty chapter by cloud computing service providers. The proposal mandates that these penalties be "effective, proportionate and dissuasive."

When determining the level of penalties, Member States must consider a non-exhaustive list of criteria under Article 24(2), including:

• The nature, gravity, scale, and duration of the infringement.
• Any action taken by the infringing party to mitigate or remedy the damage.
• Any previous infringements by the infringing party.
• The financial benefits gained or losses avoided due to the infringement.
• The infringing party's annual turnover in the Union.

Crucially, Article 24(3) provides for civil liability alongside administrative penalties. Recipients of cloud computing services have the right to seek compensation from providers for any damage or loss suffered due to an infringement of their obligations under the sovereignty chapter. This dual track of administrative fines and civil compensation creates a strong incentive for rigorous compliance and transparency.

What this means for you

For in-house counsel and compliance officers, the CADA proposal shifts the burden of proactive monitoring onto cloud providers. The following actions are recommended:

1. Identify Your Competent Authority: Determine your "main establishment" as defined in Article 25(4). This is your primary regulatory contact. Ensure your compliance team has a clear line of communication with this authority and understands their specific national penalty regime.
2. Establish Material Change Protocols: Develop internal processes to detect "material changes" in circumstances that could affect your Union assurance level. This includes changes in ownership structure, security incidents, subcontractor arrangements, or infrastructure location. Under Article 23, you must notify the auditor and competent authority "as soon as possible." Delays could be construed as non-compliance and trigger penalties.
3. Prepare for Audits: For providers seeking Union assurance levels 2, 3, or 4, independent audits are mandatory. Ensure your internal controls are robust enough to withstand scrutiny by auditing organisations, whose reports form the basis of regulatory recognition. Remember, auditors verify but do not enforce.
4. Review Contractual Liability: Assess your exposure to civil claims under Article 24(3). Ensure your service level agreements (SLAs) and terms of service clearly delineate responsibilities, but be aware that statutory rights to compensation for recipients cannot be contracted away if an infringement occurs.
5. Monitor Member State Implementation: While CADA harmonises the framework, Member States will define specific penalty regimes. Track national implementations to understand the potential financial exposure in your home jurisdiction, as the Regulation does not set a maximum fine amount.

Common misconceptions

• Misconception: "Auditing organisations enforce the rules."
  • Reality: Auditing organisations verify compliance and issue opinions. They report issues to the national competent authority, which holds the exclusive enforcement and penalty powers under Article 26 and Article 24.
• Misconception: "I only deal with regulators in countries where I have customers."
  • Reality: The "country of establishment" principle means your primary regulator is where your main establishment is located, regardless of where your customers are. However, cross-border cooperation mechanisms under Article 28 allow other Member States to trigger investigations if they suspect non-compliance.
• Misconception: "Transparency obligations only apply when I first apply for recognition."
  • Reality: Article 23 imposes ongoing transparency obligations. Providers must continuously monitor for material changes and report them immediately. Failure to do so is an infringement subject to penalties.
• Misconception: "Penalties are fixed by the EU."
  • Reality: Article 24 requires Member States to set their own penalty rules, provided they are effective, proportionate, and dissuasive. The specific amounts and procedures will vary by Member State.

Official sources

• GDPR (Regulation (EU) 2016/679)

Related

• What are the transparency obligations on cloud providers under CADA?
• CADA vs GDPR: How Transparency Obligations Differ for Cloud Providers
• Who sets the penalties for CADA transparency infringements?
• Who must cloud providers notify of changes under CADA?
• CADA Transparency Obligations: Why Article 23 Matters for Public Buyers

This is general information about a draft EU regulation, not legal advice.